|
Posted by Tom Braun on July 25, 2005, 8:26 pm
If you were Registered and logged in, you could reply and use other advanced thread options
There seem to be many people who use netflow to monitor their network.
But the other day, I found this here, where someone is raising some
serious concerns about netflow:
http://esphion.blogs.com/esphion/2005/07/more_problems_w.html
They are specifically talking about anomaly detection and are proposing
using a packet based solution instead.
What is the consensus or at least, what are the most popular opinions,
when it comes to netflow? Does this person have a point, or is this all
nonsense?
Tom
|
|
Posted by Walter Roberson on July 26, 2005, 6:43 pm
If you were Registered and logged in, you could reply and use other advanced thread options
:There seem to be many people who use netflow to monitor their network.
:But the other day, I found this here, where someone is raising some
:serious concerns about netflow:
: http://esphion.blogs.com/esphion/2005/07/more_problems_w.html
:They are specifically talking about anomaly detection and are proposing
:using a packet based solution instead.
:What is the consensus or at least, what are the most popular opinions,
:when it comes to netflow? Does this person have a point, or is this all
:nonsense?
I would say that the person is correct that detection of anomalies
is -most- accurate when all the content of all of the packets is available
(and being processed by something which can keep up), but I wouldn't
say that that makes netflow or similar analysis useless.
What is the cost of a fibre tap? Together with a device which has
to be much faster than a dedicated high-performance router in order
to be able to examine every byte of every packet (considering that
the author was talking about situations in which the performance
of the router would be taxed by the flow recording.) And of the
parallel network infrastructure to report the results to an appropriate
location without taking any of the regular network bandwidth
(so as not to affect what is being measured)?
The author of the article claims that mirroring isn't as costly as
netflow, because the mirroring is done at the data plane (ASIC) level
rather than at the CPU level that netflow requires. The author is
making a number of assumptions about device architecture. My
[mis-?] understanding of netflow in Cisco's higher end devices is that
netflow is mostly handled in a distributed manner, with the CPU *not*
being involved for every packet.
My summary of the article would be that the author is saying,
a) "There are some things that you cannot detect just looking at
IPs and port numbers"
- this is true and is why (e.g.) Cisco handles packet-level inspection at
wire-speeds on their newer [123]8xx router series and their newer
security appliance series
- defence in depth: you don't give up on a strategy just because
it isn't able to discover -everything-
b) "flow analysis might overload the router"
- this is less true than the author suggests
- this can be alleviated by reading the flow packets off a dedicated
interface
- if your router is running that close to capacity, you should probably
be upgrading anyhow, as you probably haven't provisioned the router
to be able to effectively take on extra load as required for your
failover strategies
--
This signature intentionally left... Oh, darn!
|
| Similar Threads | Posted | | pop up problems | March 29, 2005, 6:06 am |
| problems at a forum | February 28, 2005, 8:32 pm |
| Security problems using XP SP2 | June 20, 2005, 5:16 pm |
| Re: Anonymizer problems | June 1, 2006, 3:45 pm |
| Re: Anonymizer problems | June 14, 2006, 12:07 pm |
| Need help with with Norton anti virus problems | March 3, 2005, 12:52 pm |
| windows xp professional login problems | June 2, 2005, 3:52 pm |
| Yahoo sites hit by availability problems | July 8, 2007, 3:46 pm |
| Problems with malware/virus with my norton antivirus 2003 | March 3, 2005, 12:55 pm |
| Sony BMG's copy-protection problems grow | November 20, 2005, 2:46 pm |
|
XML site map